Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the cap ability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the cap ability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: A computer-implemented method, computer program product, and apparatus for identity mapping with self-correction for cascaded server systems is provided. A request to perform a business transaction is received. Responsive to performing a first server process of the business transaction, the servers necessary to perform the business transaction are identified, forming a set of identified servers. A user identity is retrieved for each server in the set of identified servers, wherein the user identity for each server in the set of identified servers is linked to a user registry of a server, forming a set of linked user identities. A data structure comprising the set of linked user identities is created. A user identity for a next server in the set of identified servers is retrieved from the data structure. In addition, the data structure is forwarded to a next server in the set of identified servers.

Abstract: A method, system, and computer usable program product for on-demand monitoring of memory usage are provided in the illustrative embodiments. An indication of a memory leak in an application is detected where the application is operating in a data processing system and using a memory associated with the data processing system. An instruction to begin monitoring a memory usage of the application is received responsive to the detection. Responsive to receiving the instruction to begin, the memory usage of the application is monitored. An instruction to dump a data related to the monitoring is received and the data is dumped. An instruction to end the monitoring is received and the monitoring is ended. The detecting, the beginning, the dumping, and the ending may occur while the application remains in operation and while the application uses the memory. The memory leak is confirmed using the data.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Techniques are disclosed for attaching security policies to secured computing systems. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.

Abstract: Embodiments of the invention are generally related to data security, and more specifically to data classification. The nodes of a hierarchical data structure may be displayed in a graphical user interface (GUI). The GUI may be configured to receive selection of a data classification type. Upon receiving a selection of a data classification type, a probability of a node containing data objects that may be classified as the selected data classification type may be displayed adjacent to the node, thereby allowing efficient location and classification of the data objects.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: A technique for implementing separation of duties for transactions includes determining a current task assignment number of an entity. The technique also includes determining whether the entity can perform a new task based upon the current task assignment number and a task transaction number (which is based on at least one prime number) assigned to the new task.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Embodiments of the invention are generally related to data security, and more specifically to data classification. The nodes of a hierarchical data structure may be displayed in a graphical user interface (GUI). The GUI may be configured to receive selection of a data classification type. Upon receiving a selection of a data classification type, a probability of a node containing data objects that may be classified as the selected data classification type may be displayed adjacent to the node, thereby allowing efficient location and classification of the data objects.

Abstract: A computer-implemented method, computer program product, and apparatus for identity mapping with self-correction for cascaded server systems is provided. A request to perform a business transaction is received. Responsive to performing a first server process of the business transaction, the servers necessary to perform the business transaction are identified, forming a set of identified servers. A user identity is retrieved for each server in the set of identified servers, wherein the user identity for each server in the set of identified servers is linked to a user registry of a server, forming a set of linked user identities. A data structure comprising the set of linked user identities is created. A user identity for a next server in the set of identified servers is retrieved from the data structure. In addition, the data structure is forwarded to a next server in the set of identified servers.

Abstract: A method, system, and computer usable program product for on-demand monitoring of memory usage are provided in the illustrative embodiments. An indication of a memory leak in an application is detected where the application is operating in a data processing system and using a memory associated with the data processing system. An instruction to begin monitoring a memory usage of the application is received responsive to the detection. Responsive to receiving the instruction to begin, the memory usage of the application is monitored. An instruction to dump a data related to the monitoring is received and the data is dumped. An instruction to end the monitoring is received and the monitoring is ended. The detecting, the beginning, the dumping, and the ending may occur while the application remains in operation and while the application uses the memory. The memory leak is confirmed using the data.

Abstract: A method and apparatus for attaching security policies to secured computing systems is provided. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.

Abstract: A method, system, and computer program product for using weighted condition primitives to facilitate the description of a business policy for providing a web service to a user. When a set of facts associated with a user requesting a web service is obtained, an evaluation of each weighted condition primitive in a business policy is performed using the set of facts. A weight value assigned to a result of the evaluation of each weighted condition primitive is identified, and a total weight value of the identified weight values is calculated. The total weight value is then compared against a pre-defined business weight threshold condition. If the total weight value satisfies the pre-defined business weight threshold condition, the web service is provided to the user. If the total weight value does not satisfy the pre-defined business weight threshold condition, the request by the user for the web service is denied.

Abstract: A technique for implementing separation of duties for transactions includes determining a current task assignment number of an entity. The technique also includes determining whether the entity can perform a new task based upon the current task assignment number and a task transaction number (which is based on at least one prime number) assigned to the new task.

Abstract: A method in a data processing system for providing security to target passwords in a global sign on system centralized database. In a preferred embodiment, a target password is received by the global sign on system. The target password is encrypted in a user selected encryption manner to create an encrypted password. The encrypted password and an indication of encryption manner chosen is then stored in the centralized database.